Medical devices – an unseen cybersecurity threat?

• Medical devices are subject to ransomware.
• They can also be used to feed malware into a healthcare system.
• If unpatched, they can be made to give false diagnoses.

Medical devices in hospitals, clinics and other healthcare centers serve a primary and a vital role in the profession of modern medicine.

But they also quietly represent a massively significant cybersecurity threat.

How?

Simple. As we discovered when talking to Keith Christie-Smith, Strategic Accounts Director (Government, Healthcare & Defence) at Claroty, a company that specializes in securing the extended Internet of Things (XIoT) from cyberattack in Part 1 of this article, medical devices are part of healthcare networks.

But they’re very much a neglected part of such networks. They’re overlooked as “objects,” in a way we would never overlook laptops, desktops, or smartphones.

They’re deeply sensitive to active scanning, so vulnerabilities in their systems often accrete invisibly. They’re caught in a world of resource-scarcity and vendor reluctance which means it’s both relentlessly difficult and eye-wateringly expensive to get them patched or updated in the same way that laptops and smartphones are.

That means that while they’re connected to healthcare networks – for the transmission of scans from hardware to software, or hardware to hardware within the network, for instance – they are almost immediately, and with increasing certainty over time, weak links in the cybersecurity chain of the network.

Hackers and cybercriminals love a weak link. It’s the kind of thing that gets them up in the early afternoon.

While we had Keith in the chair, we asked him about the situation that led medical devices to be so bizarrely unprotected while accepted for operational use all around the world in healthcare networks, and particularly in the UK’s NHS, where he’s been working to address the issue.

THQ:

Somebody’s going mad in this scenario, and we’ve very much afraid it might be us. There are potentially thousands of devices in a given healthcare trust, connected to the outside world via the internet, and to the rest of the trust’s computer systems (including patient addresses, conditions, treatments, etc, as well as staff patterns, payroll and the like).

They’re extremely resistant to active scanning, but the vendors who should be able to regularly update or patch them don’t want to, and the trusts can’t afford them to do it anyway.

Did we just walk into the healthcare version of Catch 22?

KC-S:

Ha. Kind of, yeah.

A lot of these medical devices – in fact, all medical devices typically brought to market – come to market with operating systems, but with no security controls built into them.

Medical devices with no security controls?

THQ:

Say what-now?

KC-S:

That is starting to change, though. The FDA in the US is really pushing the mobile device manufacturers to ensure that they have an element of device visibility and control built into their solutions.

But on top of all of that, hospitals work with multiple vendors. If you go to any of our trusts, they will have medical devices from Fuji, Philips, GE, Healthineers and more, because they’re procuring these devices for different functions, right?

So they’re using multiple vendors and what you end up with is a situation where, even if they had a cybersecurity solution for visibility in place, you’re still looking at lots of disparate solutions, with no way of pulling all those disparate assets together, normalizing that data, or giving yourself a global view of all assets and the risk associated with those.

THQ:

We’ll be over here in the corner, crying briefly.

KC-S:

Stick with me. Because there’s also the fact that these healthcare organizations providing these medical devices are not cybersecurity companies. They don’t understand all the vulnerabilities for their own products in most cases, let alone the rest of the market. That brings in an added level of complexity.

THQ:

Us. Over there. Corner. Crying.

But before we go, let’s be sure we understand something. In a normal computer system, we understand vulnerability equals threat. What sort of threat capabilities do the vulnerabilities in medical devices allow?

Ransomware on medical devices.

KC-S:

Well, they’re still IT assets. So it’s still the same risk as you would have on a typical IT asset. It’s still running an IT operating system. So ransomware is a key issue. There have been 130 attacks already this year.

THQ:

We’ll take “Things that somehow don’t make headlines” for 1000…

KC-S:

So the risk is still the same as all other IT assets, but because these assets are providing patient care, there is an even more significant risk. Rather than just ruining your week, these attacks can really impact patient safety and patient care if a device is compromised.

And we do see compromised devices in the healthcare space.

What happens is that compromised diagnostic devices like ultrasound or MRI can give you the wrong information, which can mean misdiagnosis – it could give you a false all-clear, or a false positive. So while the IT risk and impact is there, and it’s significant, it’s so much bigger than that, because that can impact patient care, patient safety, and ultimately, patients’ lives.

THQ:

Well. So much for ever sleeping again. But also, beyond that frankly monstrous thought of course, as you say, there’s the standard ransomware impact on already cash-strapped health trusts – put all the money in the electronic sack or the patient data gets it.

And because of the points of connectivity, are we right in thinking that as well as the straightforward impacts of the potential ransoming of the function of the medical devices themselves, medical devices can act as a backdoor into other healthcare systems?

Medical devices – a welcome mat for malware.

KC-S:

Yeah. A lot of the medical devices connect to the internet themselves, and a lot of them have call-home VPNs, as well as, in some cases, sending data back to the medical device manufacturers.

That in itself breeds risk. Any type of device connected to the internet can be compromised. And a compromise in the healthcare sense can come from anywhere. We saw a crime in 2016 which was executed through a payload from an Excel spreadsheet. A user downloaded it on their endpoint, and it just moved laterally across the network, when you have that lateral movement.

That sort of attack can come from an IoT device, a medical device, an OT device or a building management system too. Lateral movement across a network is then just standard malware practice.

Bad actors just want to find the weakest entry point into a system. And if that system is running a really old operating system with accreting vulnerabilities, that becomes an easy attack vector or attack mechanism for malware.

So it’s crucial that you have end-to-end visibility of all devices, so that if you are compromised, or if there is malware on the systems, you have the ability to head that off before it becomes an issue.

That’s really the key – you need to know all your assets, your vulnerabilities, your risk, but also the threats. Because we’re monitoring all network traffic at the core of the network. We know when devices are compromised before anything else, so that you can stop any malware from propagating and that lateral movement from happening and spreading it across the network.

Ransomware – just…one of the unlikely, weird things that can happen during an MRI…

In Part 3 of this article, we’ll balance the terror of trust managers and the uncertainty of patients with an understanding of just how you get the visibility of all your healthcare assets, and stop them becoming the kind of hacker’s back door that so much of their situation has led them to be.